A software update for 3.0 customers (upgrade for earlier customers) is now available as SoftNAS 3.1, released today.
This release contains fixes for the much publicized Shell Shock bash shell vulnerability. The Shell Shock fix is an update to bash that can be applied on existing SoftNAS systems in several ways:
1. Apply the software update to a 3.0 system (not reboot required)
2. Apply a software upgrade to older 2.x systems (requires a reboot and maintenance window)
3. Simply apply only the Shell Shock fix as a “yum update bash” to any system.
Be sure to read and follow the release notes carefully as you choose which approach to take.
From a practical standpoint, the Shell Shock exploit is not actually available to anonymous attackers of SoftNAS systems, because authentication is required by Apache before any access is allowed. Nevertheless, SoftNAS recommends the fixes be applied to all SoftNAS systems as soon as practical from an IT operations standpoint.
The 3.1 release contains additional fixes plus SoftNAS for Azure, Early Access Program (EAP) support, details of which will be available next week (stay tuned for more on that).